Strange Things Are Happening in Mexico’s Banking System

Rumors and denials proliferate, as millions of pesos disappear.

On Sunday it was the turn of Mexico’s second biggest lender, Citibanamex, to be the target of customers’ ire after suffering a system failure that made it impossible for customers to withdraw money from ATMs, pay with their credit or debit cards, or access their online accounts. The incident is estimated to have affected roughly 4.3 million people. On Sunday night, the bank, which is majority owned by Citigroup, announced that the problems had been resolved.

But by Monday morning, a whole new problem had arisen. Customers of Mexico’s biggest bank, BBVA Bancomer, owned by Spanish banking group BBVA, had begun reporting problems accessing the bank’s mobile platform. As happened with TSB and Citibanamex, the problems became apparent first on social media. The bank responded to customer complaints on twitter and Facebook by urging them to restart their devices, switch to the 24 hour clock and reinstall the app. It’s not clear whether that is working.

These latest incidents have raised serious questions about the security of Mexico’s banking system — something we warned about at the beginning of April.

At the end of April a number of financial institutions reported suffering a cyber attack via Bank of Mexico’s SPEI interbank transfer system, an iteration of the SWIFT global payment system. Lorena Martínez, the director of Bank of Mexico’s payment systems, denied rumours that SPEI had been breached. “That has not happened,” she said, adding that the problem was detected in the internet application used by some institutions to connect to the central payment system.

While Bank of Mexico (or Banxico for short) admitted there had been a hack, it denied that any money had been taken. Now, weeks later, sources close to the government investigation claim that cyber thieves had in actual fact siphoned off hundreds of millions of pesos by creating hundreds of phantom orders that wired funds to fake accounts at different five banks, including Mexico’s third largest, Banorte. Accomplices then emptied the fake accounts in cash withdrawals from dozens of branch offices.

According to the official narrative, which keeps changing, the transfers hit accounts of financial institutions in the central bank. If true, it means that no clients have so far been affected.

Nonetheless, to avoid any further problems the five affected banks were instructed to migrate onto a backup connection system, which is a lot slower than the one usually used to connect to SPEI. According to Banxico, over 15 more financial entities have since done the same. “We now have more than 20 banks,” said Martínez. “The contingency system is operated by Bank of Mexico and it provides a secure connection to SPEI, but it processes electronic payments more slowly.”

The central bank is using a team of forensic analysts to try to determine the origin of the alleged cyber attacks. The team, which is working with the affected financial institutions, could take up to two weeks to produce any results, according to Martínez. Until then, the banks that share these providers will continue to use the much slower contingency system.

That, in itself, could be a source of problems. Two days before its own payment system went down, Citibanomex complained about the slowness of inter-bank transfers. “There have been delays in certain inter-bank payments sent or received by our customers,” said the bank. But the bank claims its problems on Sunday had nothing to do with the inter-bank payment system, but were instead a result of “internal hardware issues” — a version of events that was hurriedly corroborated by Mexico’s market regulator, the CNMV.

In recent years Mexico has become a haven for cyber crime — enough to earn it ninth place on PriceWaterhousecooper’s latest list of “economic crime” hot spots. In 2017 it is estimated to have lost $7.7 billion as a result of cyber crime, up from $5.5 billion in 2016, placing it fifth at a global level, behind China, Brazil, the United States and India.

Cyber theft in Mexico is not just the preserve of isolated basement-dwelling hackers but is dominated by highly professional, well-resourced criminal organizations. According to Sebastian Brenner, a security strategist for Symantec Latin America, these are “very well structured groups, with experts for every stage of the process: infiltration, capture, commercialization.”

Some of these organizations may well have the financial means and expertise to pull off a cyber attack targeting the Bank of Mexico’s inter-bank payment system. The hackers may have received assistance inside bank branches, since such big cash withdrawals are uncommon, according to one source. In January this year hackers also attempted to rob the government-run export bank Bancomext, but officials said they failed.

This time, they seem to have enjoyed more success. In doing so, they have raised serious questions about the security of Mexico’s banking system, at a time of acute political instability and economic uncertainty. Fears of capital flight are already on the rise.

The irony is that 2018 was supposed to be the year that banks in Mexico would become more secure by collecting and storing biometric data (finger prints and iris scans) on all of their customers, despite the obvious difficulties they would have protecting that data from cyber criminals. Now, it seems they’re having enough difficulty just protecting their own money. By Don Quijones.

Keep an eye on this story; I, for one, will be interested to see if they catch anybody. The idea of professional hacking groups seems like a Hollywood plot in the age of XKeyscore, et al. There are lots of private firms with access to SAPs, and probably these banks hired one of them. I would think that this, plus existing bank surveillance (including the biometrics that you mentioned) would make catching at least some of the perpetrators a certainty. Perhaps I am guilty of thinking too generally about the histories of Mexico and banking, but the combination of the two leads me to guess that this heist could have been an elaborate cover for embezzlement. Show the loss, blame it on invisible criminals, and bring it back to the Old World…

The professional hacking groups exists. There is even a term “HaaS”, “Hacking as a Service” to make a little riff on the cloudy four-word acronyms, like “SaaS” (Software as a Service).

These people can even do the hosting of exploits, money transfers, customer support, fishing mails, malware, click-fraud and what ever other IT-service someone with a valid credit card and ambitions of sudden wealth could be in need of.

As you suggest, the Mexican banks or employees of those banks could be hiring from the same talent-pool to make some inconvenient holes in the accounts become explainable to the auditors …

Maybe paywalled –

“””
The ease with which outsiders can purchase hacking services and launch their own criminal careers cannot be under estimated. Anyone capable of using an internet search engine and prepared to transfer a few hundred dollars into an E-Gold, PayPal or WebMoney account can begin to tap most of the hacking services out there. And, with a little forethought, can begin to build a service-delivery framework.
“””https://www.sciencedirect.com/science/article/pii/S1361372308701775

Will the people be stupid enough to go 100% digital given that makes revolt harder as authorities say “no cash for you!” Of course, there could be unintended consequences like alternative underground currencies.

IAn alternative underground currency might be a good idea.
It might be our salvation in a crisis.
We cannot trust the establishment to have our backs.
The technology has not been mastered by everyone & yet it has grown more sophisticated, in leaps & bounds.
And our very survival is handcuffed to it.
How wise is this ???

Well, combine this with Argentina current crisis, Brazil huge debt thanks to the “Mundial” and the Olimpics and you can clearly see this year, 2019 and at least 2020 as the “South America goes to sh*t again years.

Back with more of my experiential anecdotes instead of cold hard evidence or facts to back it up but hey I enjoy reading everyone else’s down in the trenches reports from the front lines so here goes.
I was standing in line at the bank today during my lunch hour to cash my salary check when their system crashed. Within minutes there was a line of customers entering the bank. This was lunchtime at a busy retail area surrounded by office buildings. People were at the branch logically asking questions after they couldn’t pay for their lunches or retrieve cash from the ATM. I was left there thinking what if? What if this is THE crash? What if their system is down indefinitely? Serious questions. How could all these other people standing in line manage to go on with their daily routine if their slivers of plastic in hand suddenly stopped working?
Electronic banking has a lot of advantages but is also a dangerous, vulnerable weakness of civilization.
Now I come back to work and read this article which arises a suspicious concern in my mind as I am located very south of the border, deep, deep south.
Only thing worse than paper money is plastic money. Maybe time to do something about those $100 thousand stashed inside the shoe box.

DQ, I’m a reader lacking in knowledge re IT and banking, and it looks to me as if the banking troubles in Mexico (you reported above, May 14) and those in the UK (your post of May 6, re TSB) are broadly similar in that in both cases, customers lost online access to their accounts, and to some extent were unable to withdraw or transfer money, and may have gotten inaccurate reports re their account balances. And in both cases, upper management blamed the troubles on IT troubles. And in both cases, some Commenters have suggested incompetence and/or fraud as causes. I guess it’s true that when it comes to BIG money, time is money, and some made money and some lost money (present tense here ?) in these events.

Is there anything that puts either system (U.K. cf. Mexico) in a better light ? Or are we down to the sniff test ? Where are those Shurrshees when you need them ?

Take a look at Iceland. Since 2008 the demand in Iceland for high denomination notes has sky rocketed! Yes Iceland still does most of it’s financial transactions electronically but they still want some cash money set aside just in case!